Pawn Storm used Microsoft zero-day in spear-phishing attacks before patch

The notorious Pawn Storm group exploited a Microsoft zero-day vulnerability in a number of spear-phishing campaigns before the tech giant had a chance to release a patch.

Trend Micro explains it saw the Russian hacking group abusing two zero-day bugs to target various governments and embassies around the world between 28 October 2016 and early November 2016:

“In these campaigns, Pawn Storm used a previously unknown zero-day in Adobe’s Flash (CVE-2016-7855, fixed on October 26, 2016 with an emergency update) in combination with a privilege escalation in Microsoft’s Windows Operating System (CVE-2016-7255) that was fixed on November 8, 2016.”

In one campaign, the attackers spoofed the account of a press officer to send targets a fake email about nuclear threats in Europe. The email came with a link which, when clicked, directed victims to Pawn Storm’s exploit kit.

After collecting information about the target’s machine, the exploit server either redirected them to a benign server or sent over an exploit for one of the two security holes.

Source: Trend Micro

Another wave of attacks tricked recipients into thinking they had received an invitation to a threat intelligence and incident response conference in November.

Source: Trend Micro

Trend Micro says that campaign came with a malicious attachment called “Programm Details.doc”:

“Opening the RTF document (detected by Trend Micro as TROJ_ARTIEF.JEJOSU) would show the program details of the real conference, which was to be held in London in late November 2016. However, the RTF document has an embedded Flash file (SWF_CONEX.A) that downloads additional files from a remote server.”

Shame on you, Google! Competition is no reason to jeopardize users’ digital security. Your teams should have worked with Microsoft to raise awareness about the bug, an effort which should have went public once the latter released a fix.

I can only hope Google will make better decisions in the future. If not, perhaps its competitors won’t mind doing some irresponsible disclosure of their own, thereby further making the rest of us unsafe.

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!